Cyber Incident Response

Addressing Challenges and

Strengthening Resilience
A DSCI-CISCO POV Paper
September 2023
2 | A DSCI-CISCO POV Paper
 Executive Summary 4
Contents
1 Background 6
2 The Impact of Geopolitics in Cyberspace 10
3 India Cyber Threat Landscape 12
4 Cybersecurity Regulations 16
5 Expectations and Obligations from 20
Organizations in Digitalization Context
6 Towards Efficient Incident Response: 24
Cyber Defense in Depth Strategy
7 Devising a Cyber Incident Response 28
Strategy for your Organization
8 Supplementing Organizational Incident 36
Response
9 Achieving Regulatory Compliance: 38
Recommendations for Organizations
10 Solutions Enabling End-To-End Security 40
to Enterprises
11 Conclusion 48
12 Encapsulate 50
13 Annexure 52
14 References 63

A DSCI-CISCO POV Paper | 3

Executive Summary

The current cybersecurity landscape

poses significant challenges that fetters
the effectiveness of cyber incident
reporting. There is underreporting of
incidents, inconsistent reporting standards,
limited information sharing, complex
regulatory requirements, geopolitical
volatility. Alongside, rapidly evolving
threat landscape impede accurate threat
assessment, information sharing, and
collaborative response to cyber incidents.
In light of these challenges, the point of
view paper addresses the intricacies of
the evolving cyber landscape, explores
the impact of geopolitics on cyberspace,
and examines the vulnerabilities and
challenges specific to the Indian
cyberspace.
The paper outlines the phases of
incident response and provides
recommendations for organizations to
devise a comprehensive cyber incident
response strategy. It ingeminates the
challenges faced by IT security teams in
managing the multitude of cybersecurity
technologies. The complexity of multiple
security products from different vendors
and the overwhelming number of alerts
generated pose significant difficulties for
organizations, it is further exacerbated by
the scarcity of cybersecurity skills. This
fragmented approach leads to silos in
security data and gaps in threat detection
and response.
4 | A DSCI-CISCO POV Paper
The paper highlights the expectations and obligations
for organizations in the context of digitalization, with
a focus on the responsibilities of Chief Information
Security Officers (CISOs).

By acknowledging and addressing these leveraging advanced security solutions

complexities, organizations can better like XDR, organizations can enhance their
navigate the cybersecurity landscape, security posture, ensure adherence to
enhance incident reporting practices, the regulatory requirements and foster a
and develop strategies to mitigate cyber culture of cyber resiliency.
threats more effectively.
Endpoint security is not the culmination;
rather, it is a crucial element of a more
comprehensive, unified security strategy.
When endpoint security functions are in
tandem with the other components of
the security stack, it increases a security
program's overall effectiveness and
efficiency while giving modern, complex
attack efforts greater visibility. Threat
detection and remediation technologies
such as Endpoint Detection and Response
(EDR), Extended Detection and Response
(XDR), etc are the bedrock elements to
strengthen and materialize end-point
security objectives. The paper explores
solutions that enable end-to-end security
for enterprises, with a specific focus on
XDR as one of the approach.
The paper concludes by emphasizing
the need for organizations to prioritize
cybersecurity, implement effective defense
strategies, and comply with regulations
to protect their data and infrastructure.
By adopting proactive measures and

A DSCI-CISCO POV Paper | 5

 1

Background

43% cyber attacks are

targeting MSME.1

83% MSME are not equipped

to recover from a cyber
attack.2

35% cost of a data breach can

be saved with a robust
incident response.3

83% of organizations have

more than 1 breach in a
year.4

45% of data breaches are

cloud based.5

31% decline in the brand value

due to a data breach.6

$1.75 million
average business lost due to a cyber
incident.7

100-200 days
spent on detecting a breach.8

Figure 1: Global cyber threat landscape

6 | A DSCI-CISCO POV Paper

A total of 11,58,208 cyber events were reported by
Computer Emergency Response Team (CERT-In)
2020, more than three times as many as in 2019. In
2021, this uptick persisted with 14,02,809 incidences

Cybersecurity is becoming challenging by Computer Emergency Response

in the ever-evolving modern Information Team (CERT-In) 2020, more than three
and Communication Technologies (ICT) times as many as in 2019. In 2021,
driven world. Migration to the cloud has this uptick persisted with 14,02,809
given organizations new capabilities incidences14. Given the significant amount
and opportunities for digitalization. of friction between people, processes,
However, the risks associated with these and technology, the security efficacy is
technologies have increased exponentially, stagnating, and the average dwell time
jeopardizing the organization's safety in is still around 280 days15. Businesses are
cyberspace. grappling with monetary losses, damaged
intellectual property, compromised
Cyberattacks are expected to grow
customer information, and decreasing
as technologies become increasingly
valuations.
ingrained in the world economy and
infrastructure. Global cyberattacks grew by
38% in 2022 compared to 2021, with India Investigation - Detection,
experiencing 13.9 lakh cyber incidents in Containment, Eradication, Recovery
20229. The average cost of a data breach
globally increased to $4.35 million in 2022
Breach notification Obvious Costs
from $4.24 million the year before10. India Geography specific compliance
has witnessed a 6.6% increase in the cost
of a data breach in the year 2022 with a Ad-hoc litigation costs
single incident costing organization 17.5
crore11. Cybersecurity process
improvements
Increasing data breaches can be attributed
to the lack of 3.4 million competent Increase in cost of premium
cybersecurity professionals12. India needs
1 million Cybersecurity professionals Productivity loss
Hidden Costs

to bridge the existing gap between the

advancements in the hyper-digital society Loss of customer relationships
and the trembling cyberspace13.
Loss of intelluctal property
The lack of skilled professionals, coupled
with an exponential increase in data Reputational damage
breaches, has left organizations vulnerable
Figure 2: Dissecting the $4.35 million loss
to attacks and breaches. A total of
due to a cyber incident.
11,58,208 cyber events were reported

A DSCI-CISCO POV Paper | 7

 Resentful Employee

Ad Hoc

Script Kiddies
Malicious

Cyber Threat Highly Sophisticated

Agents
Organised

Accidental

Low Sophisticated
(Hacktivists)

Figure 3: Cyber Threat Actors: Classification

Furthermore, the rapid expansion of Data breaches can stem from different
the Internet of Things (IoT) has led to sources, including targeted attacks on
increased complexity and a surge in specific organizations, opportunistic
cyberattacks targeting sensitive data. attacks on vulnerabilities discovered
IoT devices are vulnerable to various online, and inadvertent breaches resulting
attack vectors, including user interface from mistakes or third-party failures.
vulnerabilities, cloud service exploits, Organizations are now experiencing a 29
protocol-level attacks, and system percent increase in ransomware attacks
interconnections. In 2021, there were from 2018 to 202217. The most common
11.3 billion IoT gadgets present globally. cyber attacks that result in data breaches
By 2023, this figure is estimated to are ransomware, phishing, malware,
reach 15.1 billion16. With remote work and illegal access18. The volatility in the
becoming mainstream, threat actors now geopolitical landscape is also contributing to
have multiple weak points to probe and the upsurge in Advanced Persistent Threats
launch attacks. Working from home is (APTs) driven by politically or ideologically
evolving into a new entry point for these motivated hacktivists and state-sponsored
cybercriminals to conduct alternative forms cyber incidents. Geographies across the
of data theft. globe are coming up with regulations to
combat security breaches and establish
cyber hygiene.

8 | A DSCI-CISCO POV Paper

 E.g.: Capital One

E.g.: Solar Winds

Professional Hackers
Strategically Motivated
- Cyber Terrorism,
(S-APTs)
Industrial Espionage
E.g.: Phillips 66

Engaging in Criminal
Operationally Motivated E.g.: T Mobile and
Activity for Financial
(O-APTs) Huawei
Gains

E.g.: Operation Sony

A DSCI-CISCO POV Paper | 9

 2

The Impact of Geopolitics

in Cyberspace

86% Cyber Leaders and 93%

Business leaders agree
that global geopolitical uncertainty
will most likely or moderately lead
to a cyber catastrophe in the next
two years.
Source: (World Economic Forum; Global
Cybersecurity Outlook 2023)

74% of organization leaders

agree that global
geopolitical instability has influenced
their cyber strategy.
Source: (World Economic Forum; Global
Cybersecurity Outlook 2023)

Cybersecurity and geopolitics are closely

intertwined and are constantly reshaping
the technological, legal, and regulatory
landscape. The current geopolitical
developments have profoundly impacted
global cyber strategy and tactical
cybersecurity operations. Leaders have
realized that the impact of cybersecurity
events are cascading from one business
to another and across borders is beyond
a single entity's control.
Geopolitics matter as it impact global
organizations even if they aren't
direct targets (Refer to case study 1).
Geopolitical conflicts utilize cybersecurity
as a weapon, leading to complex and
persistent attacks. Economic interests

10 | A DSCI-CISCO POV Paper

Cybersecurity and geopolitics are closely intertwined
and are constantly reshaping the technological, legal,
and regulatory landscape.

are affected by disruptions in trade and regulatory environments, international

supply chains. Geopolitical factors shape relations, and public trust.

Case Study 1: Attacks on Energy Sector

“Interconnected nature of the global economy means that a cyber-attack in one
country can have far-reaching implications for organizations and individuals
around the world.”

The attack on the Indian critical establishments was reported to have taken place in
2019 by a North Korean hacking group. The attack involved malware that was found on
the establishment’s administrative network. The malware was said to have originated
from a phishing email that was sent to an employee. Once the employee clicked on the
link in the email, the malware was able to infiltrate in the network and spread to other
systems.

Geopolitical Implications: The attack did not result in any damage to the establishment
operations, albeit, it raised concerns about the security of critical infrastructure in India
and the potential impact on multinational organizations that rely on the establishment
for their energy needs. Since the establishment is a joint venture between two
nations, the incident highlighted the potential for cyber attacks to impact international
partnerships and collaborations.

Building security, resiliency, and policies and the efficiency of their third-
trust would require collaboration and party cybersecurity controls. Developing a
cooperation across public and private clearer understanding of cyber dangers is
sector players in charge of our shared necessary for long-term cyber resilience
digital infrastructure. Businesses need in order to integrate security into strategic
to improve their internal procedures and business priorities.

A DSCI-CISCO POV Paper | 11

 3

India's Cyber Threat

Landscape

India's remarkable strides in

digitalization are changing the
way citizens and other state
entities operate. In line with the
G20's policy initiatives, India is
quickly transforming its policy and
administrative infrastructure to
achieve this goal. Nevertheless, this
transformation poses new risks and
susceptibilities, particularly in terms
of cyber threats from adversaries
both inside and outside the country.

12 | A DSCI-CISCO POV Paper

 Digitalization in India

Current active internet users in India In 2021, more than 3.8 thousand
stands at 759 million*. By 2025, the government services in India were
number will surpass 900 million. provided over the internet.#

Indian Cyberspace19, 20

Out of
Indian 125%
70-75% India has 14,983,271
13.7% 13.91 Lakh organizations of cyber
companies faced global 100%
attacks Cybersecurity paid avg. attacks
admitting 700,000 ransomware increase in
targating incidents in $1.2 million increase
the need for malware attack, attack on
govt. 2022. ransom between
more security attack in 10.51% MSMEs.
agencies. for data 2021 and
professionals. 2022. were dected
decryption. 2022.
in India.

Figure 4: Indian Cyberspace

3.1 Vulnerabilities & Attacks in Indian Cyberspace

Attacks on Health Infrastructure

• Indian healthcare industry becomes the most targated sector facing ~1.9 million
cyberattacks in 2022.21
• Premium health institute became the prime target of ransomware attack
compromising the data of millions of patients due to attack on its servers.
• Major pharmaceutical companies were targeted to steal critical information and
data on vaccine research and trials across borders from Russia, China, North
Korea, and Iran notably.

*As on May 2023, Kantar & IAMAI Internet in India 2022 report.
#
Statista. (2022, September 13). Number of online services provided by the government India FY 2016-2021.

A DSCI-CISCO POV Paper | 13

 Attacks on Aviation Sector

• Top airlines in the countries are experiencing increasing cyber attacks

(Ransomware, Phishing, DDoS, Data Breaches, and Cyber Espionage),
compromising millions of customer records, including various degrees of Personal
Identifiable Information (PII), including passport and credit card information.

Attacks on Financial Sector

• Indian banks experienced 248 successful data breaches between March 2018 and
June 2022, 41 from public sector, 205 from private sector, and 2 from overseas.22
• One of the leading India based payment company handling payments for tech
gaints and leading e-marketplaces suffered a databreach impacting 35 million
customers.
• High risk of cybercrimes such as UPI frauds, debit or credit card cloning due to the
lack of cybersecurity hygiene among a significant number of digital payment users.
• Around 40% of fraudulent activities in India are caused by digital and cyber-related
problems in the fintech sector.

Attacks on State & Critical Infrastructure21,22

• In 2017, Kolkata, Delhi, Bhubaneswar, Pune, and Mumbai got impacted due to the
'WannaCry' ransomware attack.
• Chinese hacker group 'RedEcho' caused power grid failure in Mumbai, disrupting
traffic, stock market, and hospitals at the peak of the covid pandemic.
• The ransomware attacks on state-owned infrastructure are on rise. For eg, attack
on Jawaharlal Nehru Port Container Terminal (JNPCT), etc.

3.2 Challenges in Indian Cyberspace

• Rising cases of cyber warfare.
• Lack of unified national-level architecture, despite setting up of the National Critical
Information Infrastructure Protection Centre (NCIIPC).
• Harmonised supply chains increase threat of risk of tech hardware and embedded
software; indigenisation & installation of trusted products key.
• Outdated India's National Cybersecurity Policy (2013); need to refresh to address the
present-day technological and ecosystem realities.
• Lack of adequate trained cybersecurity professionals in the Indian workforce.
• Limited focus on promoting innovation & entrepreneurship; government and private
R&D labs working in silos for in areas of national priorities.

14 | A DSCI-CISCO POV Paper

A DSCI-CISCO POV Paper | 15
 4

Cybersecurity Regulations

The increasing cybersecurity

threats, the lack of preparedness
of organizations, and the high cost
of cyber incidents has propelled
governments across the globe to
come up with mandates to augment
and strengthen Cybersecurity in the
country. These efforts are materializing
in the form of regulatory and
compliance frameworks such as Cyber
Emergency Response Team guidelines
(India, Singapore, etc)23 to proactively
defend national and organizational
Cybersecurity interests for the various
stakeholders in the ecosystem. The
table below lists down the cyber
incident and breach notification
timelines across jurisdictions.

Indian Computer
Emergency Response
Team (CERT-In)
directions provide a
structured approach to
manage and respond to
cyber incidents in India.

16 | A DSCI-CISCO POV Paper

 Geography/ Regulatory Sectoral Regulatory Governing Timeframe for reporting
Country24 Body Bodies Law/ Cyber Incidents (Within
Regulations following hours*)

India CERT-In IT Act, CERT-In 6 hours of noticing/ detecting

Directions. such incidents.25

RBI (Reserve Bank Cybersecurity Within 2-6 hours of noticing/

of India)- Financial Framework for detecting such incidents.
Institutions. Banks.

TRAI (Telecom Reporting prescribed.

Regulatory Authority Timelines not defined.
of India) – Telecom
Sector.

SEBI (Securities Cybersecurity Within 6 hours of noticing/

and Exchange & Cyber detecting such incidents.
Board of India) – Resilience
Stockbrokers. Framework.

IRDAI (Insurance Information and Within 6 hours of becoming

Regulatory and Cybersecurity aware of the incident. A
Development Guidelines. copy of the report to be sent
Authority of India) – to IRDAI and other relevant
Insurance Sector. regulators/authorities.

Singapore SingCERT Personal Data Personal Data 3 days

Protection Act. Protection
Commissioner.

Individuals As soon as
practicable.

Monetary Authority 1 hours

of Singapore (MAS)–
Financial Services.

Critical Infrastructure Cybersecurity 2 hours

Act 2018

USA US CERT: Cyber Incident 72 hours

Cyberse- Reporting for
curity and Critical Infra-
Infrastruc- structure Act,
ture Secu- 2022.
rity Agency
(CISA).

24
Refer to annexure for detailed guide to cybersecurity regulation across jurisdictions.

A DSCI-CISCO POV Paper | 17

 Geography/ Regulatory Sectoral Regulatory Governing Timeframe for reporting
Country Body Bodies Law/ Cyber Incidents (Within
Regulations following hours*)

Australia Australian SOCI (Security Verbal Written

Cybersecurity of Critical Infra-
Critical 12 84 hours
Centre: structure) Act
Asset hours
AUS-CERT
Non- 72 48 hours
Critical hours
Asset

United National NIS(Network 72 hours

Kingdom Cybersecurity and Information
Centre: U.K Security) Regu-
CERT lations

FCA (Financial As soon as of becoming

Conduct Authority) aware.

European CERT E.U/ NIS Directive, 72 hours

Union ENISA (Euro- privacy Direc-
pean Network tive
and Informa-
tion Security
Agency)

4.1 Data Breach and Incident • Log Maintenance & Time

Response - India Synchronization: Secure maintenance
of ICT system logs for 180 days and
CERT-In on Cyber Incidents: synchronization of clocks with trusted
Indian Computer Emergency Response NTP (Network Time Protocol) servers.
Team (CERT-In) directions provide a • Customer Information: Network
structured approach to manage and service providers and other relevant
respond to cyber incidents in India. entities must register and maintain
The directions are designed to help accurate customer information for at
organizations to identify, respond to, and least five years.
recover from cyber incidents in a timely
and effective manner. • KYC Requirements: Virtual asset
providers and custodian wallet
• Incident Reporting: Organizations providers are required to retain Know
in India must report cyber incidents Your Customer (KYC) information and
to CERT-In within six hours of being financial transaction records for five
informed. years.
• PoC Appointment: Designation of Intermediaries have a due diligence
a responsive Point of Contact (PoC) obligation to report security breaches
for communication with CERT-In is to CERT-In, with template provided for
mandatory. incident reporting.26

18 | A DSCI-CISCO POV Paper

A DSCI-CISCO POV Paper | 19
 5

Expectations and Obligations

from Organizations in
Digitalization Context

Complying with country-specific

directions can often be daunting for
organizations grappling with limited
manpower and escalating operational
costs. Revamping technological
capabilities is paramount to quickly
identify incidents, reduce damage, and
mitigate reputational damage.
Organizations can better prepare
themselves to respond to incidents
effectively and efficiently by building
internal capacities to complement
their cyber incident strategy. This
involves investing in the right tools,
technologies, and equipping analysts
with sufficient resources to maintain
the security of networks, systems,
and applications. Thus, enabling
organizations to contribute to an
overall security program by proactively
remediating security incidents.

It is the responsibility
of the CISO to maintain
the security and integrity
of the IT network and
infrastructure

20 | A DSCI-CISCO POV Paper

5.1 The CISO's Evolving Role & Responsibilities:

Minimising
reputational
damage
caused by a
data breach.
Ensuring
Financial regulatory
Implications - compliance
Increase in cost with the laws
of data breach. to do business.

Why
Cybersecurity
should be
CISO's prioity?
Strategic
planning to Understanding
foolproof the the legal
organization liabilities as a
from a upcoming consequence
cyber threats. of a data
breach.
Enssuring
Business
continuity.

To ensure the success of Digital Traditionally, the CISO team would work in
Transformation strategies, cyber- isolation to protect the organization from
security should be integrated into the cyber threats, but modern threats require
design and implementation process a more agile and integrated approach.
instead of being an afterthought. It is the The security team should play a strategic
responsibility of the CISO to maintain the role in the organization and use proactive
security and integrity of the IT network and reactive measures to ensure business
and infrastructure, including data and continuity and gain a competitive
applications on-prem and in the cloud, advantage.
using cutting-edge technologies.

A DSCI-CISCO POV Paper | 21

 Approaches
to strengthing
organizational
cybersecurity
posture

Proactive Reactive

Cyber
Cyber
Incident
Defense-in-
Response
Depth
Strategy

22 | A DSCI-CISCO POV Paper

A DSCI-CISCO POV Paper | 23
 6

Towards Efficient Incident

Response: Cyber Defense in
Depth Strategy

Cyber defense in depth is a proactive

approach to cybersecurity that aims
to prevent attacks by layering multiple
security controls. This includes both
technical controls, such as firewalls
and intrusion detection systems,
and non-technical controls, such
as employee training and security
awareness.

Physical Network Hardware

Security Security Security

Software Data
Security

Figure 5: Layers of Security in Defense in

depth

24 | A DSCI-CISCO POV Paper

The concept of defense in depth, • Deterrence: The presence of multiple
originally derived from military tactics, layers of defense can act as a deterrent
aims to impede and discourage attackers to cyber criminals, who may be less
by slowing down their progress. In the likely to target an organization with
realm of cybersecurity, this approach strong defenses.
involves implementing counter measures
• Better Detection: An organization is
to safeguard crucial assets and creating
more likely to detect cyber threats at an
targeted protection mechanisms for areas
early stage thus minimizing damage.
that are identified as weak, vulnerable, or
prone to attack. For defense in depth to • Protection Against Advanced
be effective, it must encompass people, Threats: Cyber defense in depth can
technology, and operations. provide additional protection against
APTs by using a combination of
Why is it important?
technologies and strategies.
• Increased Resilience: Organization
• Compliance: Many regulations and
can ensure that even if one layer is
standards require organizations to
breached, other layers can still provide
implement multiple layers of defense to
some level of protection.
protect sensitive data.

6.1 Stages of Cyber Defense in Depth Strategy: Adopting a Risk-Based

Approach
Management
• Cybersecurity
Detection
Incident
• Vulnerability Response.
scanning. Recovery
• Embeded Risk • Cyber
• Authentication based security
Policy. Insurance.
controls.

Protection Response
• Incident • Supply Chain
Reporting. Security
• Penetration Management.
Testing. • Business
• Cyberawareness Continuity.
training. Management.
• IT Disaster
Recovery.

6.1.1 Detection 6.1.2 Protection

• Be aware of the potential dangers • Empower your employees as a vital
organizations may encounter and line of defense by providing them with
identify the areas of cyber defenses security knowledge and responsibilities.
that are most susceptible to breaches. While not all organizations require
extensive security measures,
• Conduct frequent vulnerability scanning
implementing a fundamental level of
and penetration testing to stay ahead of
security is indispensable.
emerging threats.
A DSCI-CISCO POV Paper | 25
• Showcase your commitment to 6.1.5 Recovery
cybersecurity excellence by obtaining
• Recovering from a cyber-attack or data
certifications for security schemes.
breach can prove more disruptive than
6.1.3 Management anticipated. Though critical services can
often be restored, returning to normal
• Adopt a comprehensive approach to
operations can take several months.
protect your organization against cyber
To alleviate some of the associated
threats, including risk-based security
concerns, having cyber insurance
controls and supply chain oversight.
coverage can provide peace of mind.
• Regularly conduct audits to ensure It ensures that your organization
robust protection and adherence to has the necessary financial support
security standards and compliance to when it is most needed, facilitating a
regulations. swift and efficient recovery process.
Cyber insurance serves as a valuable
• Certifications, such as obtaining ISO
safeguard, enabling your organization
27001, serve as a tangible testament
to rebound promptly from the impact of
to customers, stakeholders, and
cyber incidents.
employees that your organization
adheres to and upholds the highest Defense in depth is structured to prevent
standards of information security best and detect security incidents. However, if
practices. it fails to curtail the occurrence of cyber
incident; incident is triggered. In such
6.1.4 Response cases, effective incident management
• While implementing security measures comes into play. This involves swiftly
can reduce the impact of a successful identifying the nature and the scope of the
attack, having a response plan in place incident, containing its impact, eliminating
is crucial to containing the damage and the threat, and restoring affected systems
minimizing associated costs. to their normal state.

Data Breach Reporting: This becomes Cyber defense in depth is about building
even more critical in the event of personal a strong foundation of security controls
data breaches, which must be reported to to deter attacks, while cyber incident
the relevant data protection authorities. response strategy is about having a plan in
place to deal with attacks that do occur.

26 | A DSCI-CISCO POV Paper

A DSCI-CISCO POV Paper | 27
 7

Devising a Cyber Incident

Response Strategy for your
Organization

It is a reactive approach that involves

a structured approach to identify,
respond, and recover from cyber
incidents effectively and efficiently. An
incident response strategy typically
includes processes, procedures, and
protocols to detect, analyze, contain,
eradicate, and recover from incidents.
It involves a coordinated effort
between various stakeholders within
an organization, including incident
response teams, IT personnel, legal
and public relations departments,
and external entities such as CERT.
The goal of an incident response
strategy is to minimize the damage
caused by an incident, restore
normal operations, and prevent
future incidents by learning from the
incident and implementing necessary
improvements.

28 | A DSCI-CISCO POV Paper

 Technology alone falls short
• Technology needs support from people and processes to
address blind spots, misconfigurations, maintenance issues, and
other challenges that can undermine its effectiveness.

The people angle

• People are critical assets in incident response. They manage
stakeholder expectations, make important decisions, think
creatively, address blind spots and pain points.

Vitality of processes
• Well-developed processes ensure consistency, muscle memory,
documentation, and stress-tested actions. They facilitate
effective coordination, communication, and decision-making
during incidents.

Figure 6: The people, process, technology lens

The people, process, technology triad effort. This team typically includes
plays a crucial role in the incident members from the IT department,
response life cycle, ensuring a security team, and other relevant
comprehensive and pragmatic approach departments.
to handling security incidents.
2. Incident Response Coordinator:
Here are some important considerations The incident response coordinator
for each area: is responsible for coordinating the
response effort, ensuring that all
People:
necessary contacts are involved, and
Responding to a security incident should managing communication between the
not be viewed as solely a technical various parties.
matter, and individuals from various
3. Technical Contacts: Technical contacts
departments beyond IT should be actively
are responsible for investigating and
involved. To ensure an effective response,
resolving the technical aspects of the
a well-defined management structure
incident. This may include members
that is easy to implement and execute is
of the IT department, security team, or
necessary27.
external security consultants.
The management schema for incident
4. Legal Contacts: Legal contacts are
response typically includes the following
responsible for managing legal aspects
roles:
of the incident, such as compliance with
1. Incident Response Team (IRT): regulations, reporting requirements, and
The IRT is responsible for the overall potential legal liabilities.
management of the incident response
A DSCI-CISCO POV Paper | 29
5. Public Relations Contacts: Public Thus, by defining these roles and
relations contacts are responsible responsibilities and ensuring that
for managing the public relations all necessary parties are involved,
aspects of the incident, including organizations can respond to security
communicating with the media, incidents more effectively and minimize
customers, and other stakeholders. the impact of the incident on their
operations, customers, and partners.

Figure 7: Management Schema of Incident Response

Team
Helpdesk Computer Security
• Helpful in instances Emergency Response Team
of the attack on the Responsible for:
organization’s public Manager Manager
• Designing,
servers (e.g, DDoS).
Implementing, and
• Addressing intra- updating technical
organizational queries in Internal Co ordination solutions.
instances of incidents.
Senior Manager • Maintaining the
procedures and
Communications guidelines for incident
Reporting

response.
Communicating
afterwarmth of an attack CISO
with:
• Third parties.
• Contractors. Network/ System
Incident Response Capability
• Media Agencies. Administrator
Leader
• Other stakeholders in • Technical workforce of
the ecosystem. Security Officer the organization.
Investigations Team • Aids in feedback in case
Human Resource of cyber incidents.
Communications
Handling situations in
cases where the source
of attack was within the Law Enforcement Team Users
organisation "Disgruntled
employee”
Legal
Compliance Awareness & Training.
Corporate Investigations Advisor
Policies & Procedures.
Incident Tracing
Corporate Perimeter

Other CSIRTs Consultants

ISP- Traceability Cyber Resilience

Process: steps that should be taken in the event

of a security incident. The plan should
1. Incident response plan: A
be regularly updated and tested to
comprehensive incident response plan
ensure that it remains effective.
should be developed, detailing the

30 | A DSCI-CISCO POV Paper

2. Communication procedures: Clear software, and forensic analysis tools.
communication procedures should be
2. System backups and disaster recovery:
established, detailing how information
Regular system backups and disaster
should be shared between the incident
recovery procedures should be
response team, executive leadership,
established to ensure that critical data
employees, and external stakeholders.
can be restored quickly in the event of
3. Documentation and reporting: This a breach.
procedures should be established to
3. Threat intelligence: The organization
ensure that incidents are tracked and
should have access to up-to-date
analyzed effectively, and that regulatory
threat intelligence to help detect and
requirements are met.
respond to emerging threats.
Technology:
By focusing on these areas, organizations
1. Security tools and technologies: The can build internal capabilities for cyber
incident response team should have incident response, improving their
access to the necessary security tools ability to detect and respond to security
and technologies, including network incidents effectively and efficiently.
monitoring tools, endpoint protection

7.1 Phases of Incident Response:

Identification Eradication Follow Up

Preparation Containment Recovery

7.1.1 Preparation
• An organization prepares for a potential cyber incident by developing an incident
response plan, identifying the roles and responsibilities of the incident response team,
and establishing communication channels for reporting and responding to incidents
(Refer section: Devising a Cyber Incident Response Strategy for your Organization).
This includes identifying critical assets, defining incident severity levels, and
implementing technical controls to detect and prevent incidents.

A DSCI-CISCO POV Paper | 31

 Threats Prevention Toolkits28
Malware, DDoS attack, hacking (ransom Anti-virus software
and extortion, espionage). Compromised
sensitive information (malicious and Awareness trainings
accidental) Encryption
Anti DDoS and CDN measures
Data loss prevention software
Deploying approved scanning vendors
Penetration testing

7.1.2 Identification can assist with methods like intrusion

detection and Real Time Threat
• The crucial stage in the process is
Management Systems (RTTMS), but
the identification stage, where the
the human factor is typically the one
starting point of an event is determined,
with knowledge of abnormal activity in a
and critical decisions must be made
specific corporate environment.
to categorize and respond to the
event appropriately. If the procedures • Approaches for dealing with network
fail during this stage, the entire incidents depending on their severity:
methodology can collapse.
o Immediately close the attacker's
• Once an incident is identified or point of entry and eliminate all
suspected, evidence collection possible access means.
should begin immediately. However,
o Remain "open" as long as possible
determining whether abnormal activity
to gather as much information as
is once in a while attack or an attack
possible for use as evidence later.
pattern can be difficult. Technology

Publically avalibile
Alert Logs People
Information

• IDP/IPS • Operating • Open Source • Suspicious

• SIEM,XDR Devices Information activity (User &
• Operating Admin)
• Anti Virus
software alerts Services
• Applications
• Network
Devices
• System flows

32 | A DSCI-CISCO POV Paper

Audit log collection, examination, and based on its impact on the organization's
analysis financials, manufacturing, sales, corporate
image, or customer trust. The extent of the
The information about an incident can be
impact will determine the initial response
found at various sources (e.g. firewall(s),
to the incident.
IDS Intrusion Detection System (s),
router(s), etc.) a great amount of effort Developing the risk matrix which maps
and time is required to correlate them impact of the incident to the urgency with
before reaching trustworthy conclusions. which it should be addressed will help in
The importance of having a central System prioritizing the further course of action.
Log Server that performs a log analysis is
Incident reporting and assessment
based on the observation that using one
central system and applying filters can This categorization is part of the Incident
provide useful conclusions in a relatively Reporting form, which documents all
short period of time. relevant information about the incident.
The Incident Reporting Form is crucial
Detection Systems
since it contains valuable information
Host and Network-Based Intrusion that is reviewed later during a forensic
Detection Systems have a vast database of analysis or follow-up phase. Examples
known attack patterns that can be helpful of information include; the date and
in identifying the type and source of an time of reporting, the date and time of
incident. If the incident matches a known incident discovery, the system in which
attack pattern in the IDS database, then the incident was first identified, possible
the system in question should be checked affected systems and networks, system
for the vulnerability that caused the configuration, host applications, criticality,
incident. If the system has the appropriate and the name and credentials of the
countermeasure, such as a software patch, person completing the form.
then the incident is logged for future
7.1.3 Isolation & Containment
reference. However, if the incident is a new
and unknown; the security gateway audit The subsequent step involves promptly
logs, usually the firewall logs, should be implementing remedies, which restrict
analyzed to gather more information. If the the scope of the incident and allow the
affected system is found to be vulnerable, attack to operate only to the desired
it should be isolated to prevent the incident extent. However, some attacks may
from infecting other systems and networks. need to continue to allow for computer
forensics analysis for certain reasons.
Considerations: Collecting and correlating
Standard approaches to addressing the
data from various sources, including logs,
situation involve making patch installations
network traffic, cloud infrastructure, and
and configuration modifications to critical
endpoints, to identify potential threats
perimeter, public, and internal systems.
and incidents helps responders to quickly
understand the scope and impact of an Preventive Measures:
incident and take appropriate actions.
• Deactivation of particular system
Thus, providing a cross-layer visibility into
services.
the network, cloud, and endpoints.
• Alteration of access and authentication
When an incident is detected, it should be
systems and deactivation of accounts.
classified into one of three security levels

A DSCI-CISCO POV Paper | 33

• Disconnection of the affected system to reintroducing compromised systems into
from the network. operation, it is recommended to conduct a
vulnerability assessment or penetration test to
• Temporary suspension of the
reveal any potential existing vulnerabilities.
compromised system.
Preventive Measures
• Recovery of the compromised system.
• Rebuilding the system from the ground up.
7.1.4 Eradication
• Restoring user data from reliable backups.
This phase pertains to the solutions that
need to be implemented on the affected • Conducting an audit of system
systems in the medium and long term configurations.
to eliminate any potential avenues for
• Reviewing the protective and detective
the specific attack to reoccur. Possible
mechanisms to ensure that they are
measures during this stage consist of
functioning properly.
verifying policy compliance, conducting
independent security audits, and updating 7.1.6 Follow-Up Phase
policies, among others.
It is crucial to document all actions and
Preventive Measures information related to the incident and to
disseminate electronic evidence for analysis
• Altering access and authentication
by experts in a forensically sound manner. In
systems in all compromised systems.
addition, a post-incident meeting with senior
• Completely removing intruder access management should be held to evaluate the
and identifying any possible alterations, damage, the strengths and weaknesses of
policies, and the necessary procedures to
• Fully reinstalling the compromised
be followed. The aftermath of an incident
systems and rebuilding the system.
may require updates to security policies,
7.1.5 Recovery procedures, and guidelines to prepare for
future attacks. Once the incident analysis is
Once all the prior steps have been carried
complete, changes to system configurations
out effectively, the process of system
should be documented, and the inventory
recovery and enhancement of security
of systems and network assets should be
mechanisms should commence to restore
updated to reflect these changes.
the entire system to operation without
any open security vulnerabilities. This
may involve actions such as rebuilding
the entire system, retrieving data from
backup media, installing additional
security mechanisms, and so on. Prior

34 | A DSCI-CISCO POV Paper

A DSCI-CISCO POV Paper | 35
 8

Supplementing
Organizational Incident
Response

Establishing Linkages with Cyber

Attack Kill Chain: Understanding
the steps of the 'Cyber Attack
Kill Chain' provides insights into
intrusion detection and adversary
tactics. Mapping these steps against
preventive controls helps with
investment decisions, defensive
strategies, and real-time response to
cyber attacks29.

The ability to act

promptly is critical
during a cybersecurity
breach. The OODA
loop comprises of
four phases, namely
Observe, Orient,
Decide, and Act,
which are repeatedly
iterated.
29
Refer to annexure for more details.

36 | A DSCI-CISCO POV Paper

OODA Loop in Action: Proactive Steps for Timely Data Breach Mitigation

Observe Orient
Noticing anomalies in the Preapring for the situation by
environment. Analysing the data collection and analysis.
behaviour of adversaries.

OODA Loop in
Action

Decide Act
Corelating the information to Response and further course
determine the source threat. of action in accordance with
detected threat.

The ability to act promptly is critical during inactivity. At its core, it is a framework for
a cybersecurity breach. The OODA loop recognizing and evaluating an individual's
comprises four phases, namely Observe, thought process, actions, reactions, and
Orient, Decide, and Act, which are ability to adjust to stimuli. This approach
repeatedly iterated. OODA loop serves can be extremely beneficial to an
the purpose of assisting individuals information security professional and has
in making informed decisions and diverse applications in both offensive and
prompt action instead of succumbing to defensive contexts30.

A DSCI-CISCO POV Paper | 37

 9

Achieving Regulatory
Compliance:
Recommendations for
Organizations
• Acknowledge your baseline and
establish clear cybersecurity
policies and procedures aligned
with regulations. This means
understanding your organization's
most critical assets and the risks
they face, and then developing
policies and procedures that will
help to mitigate those risks.
• Conduct regular risk assessments
to quickly identify vulnerabilities
and prioritize actions. This will
help organizations to identify areas
where security posture is weak.
• Training employees on
cybersecurity policies, their roles
and responsibilities. Employees
are often the weakest link in
an organization's cybersecurity
defenses. By training employees
on how to identify and report
suspicious activity.
• Engage in third-party risk
management to ensure compliance
throughout the supply chain. This
means assessing the cybersecurity
risks of your third-party vendors
and taking steps to mitigate those
risks.

38 | A DSCI-CISCO POV Paper

• Identify all devices on your network, • Seek guidance of legal and
including those forgotten devices. This compliance professionals on regulatory
will help you to get a complete picture requirements.
of your network and to identify any
• Stay informed about evolving
potential security vulnerabilities.
regulations and engage with regulatory
• Develop and test an incident response bodies. Cybersecurity regulations are
plan for effective handling of security constantly changing, so it is important
incidents. This plan should outline how to stay updated. Engaging with
your organization will identify, contain, regulatory bodies to understand their
and eradicate security incidents. expectations and to get feedback on
your compliance efforts.
• Regularly assess and improve
cybersecurity controls and practices. By following these recommendations,
The threat landscape is constantly organizations can effectively address the
evolving, so it is important to regularly compliance implications associated with
review your security controls and make cybersecurity regulations and demonstrate
changes as needed. their commitment to cybersecurity,
accountability, and transparency.

A DSCI-CISCO POV Paper | 39

10

Solutions Enabling End-To-

End Security to Enterprises

Only 15% of global

organizations have a
mature cybersecurity
posture to defend
against the risks of
the hybrid world31.
To ensure comprehensive end-to-
end security, it is crucial to establish
strong connections between securing
the end user, remote users on the
cloud, and the network. This can be
achieved by implementing several key
measures. Firstly, deploying robust
endpoint security solutions helps
protect individual devices and fortify
the first line of defense. Secondly,
implementing secure remote access
and cloud security measures ensures
encrypted communication channels
and secure connectivity for remote
users. Thirdly, strengthening network
security through firewalls, intrusion
prevention systems, and network
segmentation helps protect against
unauthorized access and network
attacks.

40 | A DSCI-CISCO POV Paper

Let's explore some key solutions that incident response, and compliance
enable end-to-end security in cyberspace. management. SIEM systems collect
logs, monitor network traffic, and
• Endpoint Security Solutions: Endpoint
generate alerts, enabling organizations
security focuses on protecting individual
to proactively identify and respond to
devices, such as desktops, laptops,
security incidents.
and mobile devices, from threats
and unauthorized access. It involves • Identity and Access Management (IAM):
deploying robust antivirus software, IAM solutions are crucial for managing
firewalls, encryption techniques, and user identities, authentication, and
intrusion detection systems to secure access rights across different systems
endpoints. Advanced solutions like and applications. By implementing
Endpoint Detection and Response strong authentication mechanisms,
(EDR) and Extended Detection and Multi-Factor Authentication (MFA), and
Response (XDR) provide enhanced Role-Based Access Controls (RBAC),
threat detection, real-time monitoring, organizations can mitigate the risk
and rapid response capabilities. of unauthorized access and improve
overall security.
• Network Security Solutions: Network
security solutions play a crucial role 10.1 Securing the Cyberspace:
in safeguarding the communication Exploring Solutions
channels and infrastructure within an
organization. These solutions include Security measures implemented by
firewalls, secure gateways, Intrusion organizations to protect their digital
Prevention Systems (IPS), Virtual assets falls into network, endpoint and
Private Networks (VPNs), and Network logs. To mitigate the possibility of an
Access Controls (NAC). They help undetected threat actor persisting in the
protect against unauthorized access, network for an extended duration, it is
data breaches, network attacks, and crucial to incorporate all these elements
malware propagation across the in establishing a comprehensive Security
network. Operations Centre (SOC) Visibility
Triad. This triad employs a proactive
• Cloud Security Solutions: Cloud methodology aimed at reducing the risk
security solutions involve implementing and ensuring early detection.
strong access controls, encryption,
Data Loss Prevention (DLP) measures,
and continuous monitoring of cloud
environments. Additionally, cloud
providers often offer security services
such as cloud-based firewalls, threat
SIEM/UEBA
intelligence, and security incident
response to enhance overall cloud
security.
• Security Information and Event 0101
1010

Management (SIEM): SIEM solutions

aggregate and analyze security Network Detection Endpoint Detection
and Response and Response
event data from various sources to
provide real-time threat detection, Figure 8: SOC Visibility Triad (Source:
Gartner)
A DSCI-CISCO POV Paper | 41
• Endpoint-centric measures: actionable signals. However, they
often face challenges in providing
1. Tools: Endpoint Detection and
comprehensive visibility and context
Response.
for detecting and responding to
2. Limitation: Lack visibility across advanced threats.
networks, servers, and cloud
• Network-based measures:
workloads.
1. Tools: Network Traffic Analysis
• Log-based measures:
(NTA), Network Detection and
1. Tools: Security Information and Response (NDR) solutions.
Event Management (SIEM), User and
2. Limitation: Lack endpoint visibility.
Entity Behaviour Analytics (UEBA)
tools, Cloud Access Security Brokers These approaches create siloes of
(CASB). disjointed toolsets resulting in lack of
understanding what is critical, no incident
2. Limitation: SIEM tools primarily
prioritization and reduced speed to
focus on threat detection by
response that are leveraged by threat
gathering data from various sources,
actors to intrude in the network.
conducting analysis, and providing

10.2 Addressing the Gaps- Inadequate Integration and Siloed Security

Tools:

51% 36%
express concerns about of professionals aren’t
the capabilities of their satisfied with their
existing tools to effectively existing tools' capability
detect and investigate to efficiently correlate
advanced threats. alerts. 32

Organizations often depend on security and comprehensive view of the overall

tools from different vendors to build their security landscape.
security infrastructure. However, the lack
of integration or shared telemetry among • Lost time and effort spent switching
these tools poses significant concerns. between different tools.
To address these challenges effectively, • Lack of coordination among the
it is crucial to integrate threat detection various tools, leading to complex
tools across endpoint, network, and log- security operations and impeding the
based security measures. By doing so, effectiveness of incident response
organizations can overcome the following capabilities.
issues:
• Insufficient return on investment (ROI)
• Overreliance on disconnected security for the organization's existing security
tools. investments.
• Insufficient data integration across 10.3 XDR as an Approach
vendors hampers seamless integration
with analysis tools, resulting in analysis XDR encompasses three core aspects.
paralysis. Organizations lack a unified Firstly, it involves gathering telemetry
from diverse sources. Secondly, it

42 | A DSCI-CISCO POV Paper

applies analytics to the collected not only the detection but also the
telemetry to identify malicious response and remediation of these
activities. Finally, XDR emphasizes malicious elements. IDC.

Availability of a centralized incident

response system that integrates individual
security products.

01
Elements of
Effective XDR
system 02 Centralized collection of normalized data from
various components of the XDR system.

03
Correlation of events and alert genration to inform
security administrators of detected incidents.

How XDR Empowers First Line of insights into security events. This
Response. helps SOC analysts understand the
significance and potential impact of
SOC analysts are facing challenges in
alerts, enabling them to focus on critical
prioritizing the increasing volume and
threats and ignore noise.
complexity of security alerts. It is crucial to
find a balance between identifying relevant • Automated Response and
threats and prioritizing them based on Remediation: XDR automates
contextual awareness. predefined response actions, reducing
manual effort for SOC (Security
The XDR Advantage
Operations Centre) analysts.
• Improved Threat Detection: XDR
• Unified Management and
integrates multiple security controls
Investigation: XDR provides a
for comprehensive threat detection,
centralized console for managing and
reducing false positives.
investigating security events. It allows
• Advanced Analytics and Correlation: SOC analysts to view alerts, events,
XDR uses analytics and correlation and incidents from multiple sources
techniques to prioritize and consolidate in a centralized location. This unified
related alerts. approach streamlines the investigation
process, enables efficient collaboration,
• Contextual Insights: XDR leverages
and reduces the time spent on
both local telemetry data and global
navigating disparate systems.
threat intelligence to provide contextual

A DSCI-CISCO POV Paper | 43

• Integration with Existing SOC network layers, sandboxes, vulnerability
Components: XDR integrates scanners, cloud environments, mail traffic,
with SIEM and SOAR (Security access control systems, and DLP systems,
Orchestration, Automation, and XDR provides comprehensive control over
Response.) tools, enhancing the overall potential attacks.
effectiveness of the SOC infrastructure.
The collected information undergoes
How does XDR work? several stages:
XDR systems integrate multiple tools Normalization based on predefined
into a unified platform for the detection parameters, storage in a Data Lake,
and response to security incidents. By correlation, response, and, if needed,
collecting historical and real-time data investigation. This streamlined process
from various levels of the enterprise simplifies operations and enables efficient
infrastructure, including access points, management of security incidents.

Data Data Context Co Threat Response to

Analysis Aggregation relation Detection Cyber Attack

Prompt detection, Impact prioritization, Efficient Response

High-quality data and accurate alerts

Data Processing

Data Data Data

Data Lake
consolidation Integration Normalization

Security Tools Firewall | Antivirus | IDS | IPS | VPN | IAM | SIEM | UEBA | EDR | NDR | CASB | Email
Security | Threat Intelligence

Cloud Endpoints Endpoint Data Servers Other data

Cyberspace
Devices sources

XDR

In the XDR framework, network security capability to uncover network-based

encompasses the monitoring, analysis, and attack patterns, lateral movement within
response to network traffic to identify and the network, and command-and-control
address suspicious or malicious activities. communications that may not be apparent
It involves collecting and analysing network when focusing solely on endpoint data.
telemetry, such as network flow data, This expanded scope enhances the overall
packet captures, and logs, in conjunction effectiveness of threat detection in XDR,
with endpoint telemetry to thoroughly enabling organizations to respond more
detect and investigate security incidents. efficiently to network breaches.
By leveraging network visibility and Recognizing the importance of both
telemetry data, XDR solutions have the endpoint and network security, the

44 | A DSCI-CISCO POV Paper

integration of these two components within tools such as automated triaging,
XDR allows organizations to adopt a more investigation and response. Additionally,
comprehensive and robust approach to XDR integrates with underlying focussed
threat detection and response. detection and response platforms like EDR
and NDR.
XDR harnesses the synergy of human
reasoning and machine capabilities It's important to note that XDR does not
to make accurate and sophisticated replace existing security platforms such
decisions. It combines the functionalities as SIEM or EDR; instead, it brings together
ideally expected of SIEM tools such as multiple security products into a unified
telemetry integration, alert correlation, incident-response platform to up-level a
incident prioritization, as well as SOAR SOC analyst.

EDR NDR XDR SIEM

Endpoint
• Host IDS
Endpoint
• Long term
• Anti Malware retention
• Device Control • Log Collection
• Host Firewall • Customer
Endpoint Infrastructure • Host IDS Integration
• Anti Malware • Network IDS
• Host IDS • Log Collection
Infrastructure
• Network IDS
Infrastructure • Long term
• Network IDS retention
• Log collection • Log Collection
• Customer
Integration

Figure 9: Primary elements of each toolset mapping similarities amongst them. Core
components are emphasised, while additional features observed are indicated in italics
across Endpoint (Servers & Systems) and Network (Cloud & Network)

Traditional detection and response SIEM and SOAR solutions have been
models are not enough to defend against developed to address these challenges,
sophisticated threats. Over 80% of but they have not fully solved the problem.
organizations leverage more than 10 data SIEM solutions can unify data from multiple
sources for their security operations33. sources, but they can be complex and
These models rely on individual security difficult to use. SOAR solutions can
solutions that are often siloed and difficult automate security operations, but they can
to manage. This can lead to missed threats be expensive and require a lot of manual
and slow response times. configurations33.

A DSCI-CISCO POV Paper | 45

XDR is a new approach to threat detection data sources and enables cohesive
and response that aims to bridge the security operations. This allows security
gap between traditional models and teams to quickly and confidently respond
SIEM/SOAR solutions. XDR provides to threats.
comprehensive visibility across multiple

10.3.1 XDR Use Cases

Threat Risk
Investigation
Hunting Priortization

• Many security teams • Security teams need • XDR enables

struggle to find time to prioritize and extensive data
for proactive threat respond quickly to collection, superior
hunting. critical alerts. visibility, and
• XDR's telemetry • XDR uses powerful automated analysis.
and automation analytics to correlate • Security teams can
capabilities thousands of alerts quickly determine
automate much of into high-priority the threat's origin,
the process. ones. propagation, and
• Lightens the load • It helps sift through potential impact.
on security teams, the noise and • Helps in removing
allowing them to identify alerts that the threat and
perform threat require immediate strengthening the
hunting alongside attention. network against
other tasks. future threats.

10.4 Market Considerations challenging for large enterprises that

have already invested in establishing a
XDR solutions are currently offered by
SOC. Collaboration and integration with
security solution providers that offer a
existing SOC components are more
range of infrastructure protection products
beneficial than competing with them.
under a unified management platform,
including EDR and network protection. • MDR/MSSP services: As threat
However, there are market considerations detection and response become more
and challenges that need to be addressed: complex, organizations are seeking
external vendors to manage the entire
• Deployment challenges: Organizations
process. XDR providers have the
currently rely on multiple point tools
potential to complement their products
for different security aspects, which
by offering Managed Detection and
leads to a fragmented approach. For
Response (MDR) or Managed Security
the long-term vision, the security
Service Provider (MSSP) services.
teams needs to embrace the emerging
They may also collaborate with existing
technologies and solutions for a unified
MDR/MSSP services to provide a
approach to cybersecurity.
comprehensive security solution to
• Integration with SOC: Integration with organizations.
existing security infrastructure can be
46 | A DSCI-CISCO POV Paper
A DSCI-CISCO POV Paper | 47
11

Conclusion

The rapidly evolving ICT-driven world

presents significant cybersecurity
challenges, driven by the migration to
the cloud and increased reliance on
technology. These developments have
created opportunities for organizations,
but they have also heightened the
risks of cyber threats. The shortage
of skilled cybersecurity professionals
further compounds the problem,
leaving organizations vulnerable to
attacks. The rise of connected devices
and the shift to a hybrid workforce
introduce additional weak points for
cybercriminals to exploit. Geopolitical
conflicts and the global landscape
have also contributed to the increase
in cyberattacks.
In the Indian context, digitalization
efforts have brought remarkable
progress but have also exposed
vulnerabilities to cyber threats.
Establishing efficient incident
response capabilities and adopting a
proactive approach to cyber defence
is paramount to function in cyber
compliant environment. Adhering
to these regulations and investing
in technological capabilities are

48 | A DSCI-CISCO POV Paper

necessary steps. The role of the Chief effectiveness in detecting and responding
Information Security Officer (CISO) is to incidents. Integration with other systems
particularly important in maintaining like SIEM, SOAR, DLP, IAM/IDM, UEBA,
network security, developing cybersecurity SASE, and CASB further enriches XDR's
strategies, and establishing incident capabilities. The integration of machine
response plans to foster a culture of cyber learning and automation within XDR
resilience. systems lightens the workload of security
administrators, leading to improved overall
XDR offers a comprehensive security efficiency.
approach that extends beyond endpoints,
safeguarding the entire enterprise The future of XDR looks promising
infrastructure. This includes network as it aligns with the global trend of
layers, virtual devices, and hybrid clouds, centralizing and consolidating security
providing robust protection against the tools for efficient operations. Building
complexities. upon the foundation of EDR products, XDR
represents a logical progression in the
XDR's multifunctional analytical engine ever-evolving security landscape.
and investigation tools enhance its

A DSCI-CISCO POV Paper | 49

12

Encapsulate

The figure below provides an overview This transformation is fuelled by the urgent
of the evolving landscape of cyber need for agility and prompt response.
compliance. The lower layer of the
On top of these layers, there are factors
framework focuses on the rise of
that drive the necessity for regulations.
sophisticated cyber threat actors amid
The framework outlines the cybersecurity
growing geopolitical instability, leading to
regulations introduced by governmental
supply chain disruptions. Building upon
bodies globally to enhance their
this, the framework emphasizes the drivers
cybersecurity posture and ensure greater
that propel organizations to enhance
compliance with established cybersecurity
their capabilities in key areas like threat
standards. It calls for approaches to
intelligence, risk assessment, visibility, and
build effective cyber incident response
threat analysis to strengthen their defence.
capabilities.

Evolving Landscape of Cyber Compliance

Computer Emergency Response Team (CERT)

Regulatory International US-CERT, CERT-UK, AusCERT, SingCERT, France -

Landscape Developments CERT-FR Japan-JPCERT/CC

National CERT-In Sectoral

RBI SEBI IRDAI IT Act
Developments Directions Guidelines

Catalysts Data Security Credible

for Diminishing Breach
Threat in Cloud flow of Correlation Investigations
Regulation Reporting Identification
Architecture info.

Drivers for
Compliance Agility Cloud Adoption Rise of Hybrid Faster Response
Security

Geopolitical
Instability

Threat Nation Criminal Supply Chain

Espionage Insider Hacktivism
Actors State Syndicate Disruption

50 | A DSCI-CISCO POV Paper

Cyber Incident Response Strategy organizations should possess to effectively
mitigate the repercussions and aftermath
The proposed encapsulate provides a
of cyber incidents. The bottom layer
comprehensive framework for cyber
identifies key areas that require the CISO's
incident response strategy offering a
attention and focus for strengthening their
deeper and overarching understanding of
competencies.
the theme. It serves as a valuable resource
for enterprises seeking to enhance their At the core of the encapsulate lies the
incident response capabilities. pillars of a robust cyber incident response
plan: multi-dimensional, synthesized,
The framework consists of three layers.
automated, and coordinated response.
The top layer highlights the CISO
These pillars form the foundation for an
mandates in navigating the ever-changing
effective and efficient incident response
cybersecurity landscape. The second
strategy.
layer outlines the essential capabilities that

Cyber Incident Response Strategy

CISO Mandates

Situational Fostering Security Risk Reduction Ensuring Smooth Breach

Awareness First Culture Authentication Identification

Log Third Party Risk

Reporting Communication Forensics
Maintenance Management

Capabilities

Threat Visibility Security Analytics Vendor Risk Management Detection and Response

Device Discovery & Insights Risk Based Vulnerability Mgmt.

AREAS PILLARS FOCUS

Threat Multi - Dimensional Consolidation &

Intelligence Platformization of Security
Monitoring Mitigation Readiness
Synthesised
Automated

Risk Capacity Building in

Assessment Emerging Technologies
Response Containment Eradication

Comprehensive Fostering Resilience

Visibility Recovery

Threat Co Ordinated Automation of Security &

Analysis Controls

Resources / References

NIST Framework MITRE ATT&CK knowledge base SANS Framework

A DSCI-CISCO POV Paper | 51

13

Annexure

13.1 Cyber Kill Chain [Phases of specific instrumentation to detect cyber

Cyber Attack] attacks, effective coordination between
people, processes, and technology is
The seven steps of the Cyber Kill Chain indispensable to prevent the cyber-attack
are an intelligence-driven approach to life cycle.
intrusion detection. In the case of an
incident, an adversary must move through Mapping each step involved in the cyber
every phase of the attack lifecycle to be kill chain against the preventive controls
successful and exploit vulnerabilities to can help organisation to:
install malware and take active control of • Make optimal investment decisions to
the system. prepare, plan, recover, and reconstitute
The dissection of the stages provided by their assets in the case or aftermath of
the Cyber Kill Chain improves the visibility an attack.
of an incursion and aids security teams • Mapping the organization's defensive
in comprehending the strategies, tactics, tools and capabilities across the cyber-
and practices of an adversary. The steps attack lifecycle while adopting a threat-
come together to produce a chain-like based strategy.
integrated end-to-end process and are
conceptualized to reveal the active state • Effectively respond to a cyber-attack on
of a data breach. As each stage requires a real-time basis.

The steps come together to produce a chain-

like integrated end-to-end process and are
conceptualized to reveal the active state of a data
breach.

52 | A DSCI-CISCO POV Paper

Stage Prevention Controls Security Controls

1. Reconnaissance: Implementing strong access controls, Detect: Web Analytics,

Gathering information about the monitoring network activity for Threat Intelligence, NIDS
target. suspicious behaviour, host sweeps Deny: Information sharing
and using web filtering to block access policy, Firewall ACLs
• Passive Reconnaissance: to known malicious sites.
Information gathered by indirect
and publicly available sources.
• Active Reconnaissance:
Active interaction with the target.
The cyber adversary initiates to
scrutinize the network for open
ports and maps the vulnerabilities
for exploitation from a system
and human perspective.

2. Weaponization: "Exploiting Using advanced threat detection tools Detect: Threat Intelligence,
the weakness." to identify and block weaponized NIDS.
The hacker creates strategies payloads. Deny: NIPS.
to enter the target's network Using email security filters to
using the previously collected block malicious attachments and
information. implementing software and application
Distribution of spear phishing whitelisting to prevent unauthorized
emails, creation of "watering software from executing.
holes” for transmission of
malware is observed as a
common practice.

3. Delivery Creating user awareness, inducting Detect: Endpoint malware

The attacker determines the security training, and conducting protection.
pathway to transmit malicious phishing campaigns that introduce Deny: Change.
payloads or weapons based on best security practices. Management, Application
the reconnaissance phase. Establishing security controls against Whitelisting, Proxy Filter,
They may use automated tools perimeter breaches by blocking HIPS.
like exploit kits, spear phishing malicious or risky websites via URL Disrupt: Inline AV.
attacks using malicious links or filtering.
Degrade: Queuing.
attachments, and malvertising as
some of their techniques. Contain: Router ACLs, App
aware firewall, trust zones,
Inter-zone NIPS.

4. Exploitation Once the attacker has breached the Detect: Endpoint malware
The hacker starts to reap the host, there are very few defence protection, HIDS.
benefits of preparing and mechanisms. As the final line of Deny: Secure password,
delivering the attack. It can sprout security against exploit attempts, Patch management.
as SQL injection, buffer overflow, techniques like data execution
prevention and anti-exploit are Disrupt: DEP.
malware, etc.
leveraged. Contain: App aware
The hacker investigates the firewall, trust zones, Inter-
targeted network to understand Tools used after an infection rely on
defence mechanisms like sandboxes zone NIPS.
better its traffic patterns, the
systems connected to it, and to find already-used exploits.
potential vulnerabilities.

A DSCI-CISCO POV Paper | 53

 Stage Prevention Controls Security Controls

5. Installation Preventive controls at this stage Detect: Endpoint malware

The attacker ensures continued include using antivirus and endpoint protection, HIDS.
access to the network. protection tools to detect and block Deny: Privilege Separation,
malware, implementing application strong passwords, multi-
and software whitelisting to prevent factor authentication.
unauthorized software from executing,
and monitoring network activity for Disrupt: Router ACLs.
suspicious behaviour. Contain: App aware
firewall, trust zones, Inter
zone NIPS.

6. Command and Control Block upload of files and data patterns Detect: NIDS, HIDS.
Once malware has been as well as outgoing command-and- Deny: Network
installed, the attackers control control connections. Segmentation, Firewall
the connection between the Use internal sinkholes to divert ACLs.
compromised machine and their malicious outward communication Disrupt: HIPS.
malicious infrastructure. in order to locate and shut down
compromised hosts. Degrade: Tarpit.
To communicate and transfer
data between the infected Deploy URL filtering to prevent Deceive: DNS Redirect.
devices and their own outbound communication to known Contain: Trust Zones, DNS
infrastructure, the attackers will dangerous URLs. Sinkholes.
set up a command channel. Compile a list of nefarious domains
to ensure widespread detection and
prevention via DNS monitoring.
Implementing granular application
control to enable only authorized
applications can prevent attackers
from moving laterally with unidentified
tools and scripts.

7. Action on the objective To implement the proper prevention- Detect: Endpoint malware
The adversaries act as per their based controls, create links between protection.
motivations to accomplish their the Network Operations Centre (NOC) Deny: Data at rest
purpose as they have control, and the Security Operations Centre (Encryption).
persistence, and ongoing (SOC).
Disrupt: Endpoint malware
contact. Implementing data loss prevention detection.
This could be done to extort tools to prevent exfiltration of sensitive
data, monitoring network activity for Degrade: Quality of service
money, exfiltrate data, destroy
vital infrastructure, deface web suspicious behaviour, and regularly Deceive: Honeypot.
property, or incite terror. backing up critical data to ensure
Contain: Incident
its availability in the event of a cyber
Response.
attack.

54 | A DSCI-CISCO POV Paper

13.2 OODA Loop In Cyber Incident Response

Vulnerability Rollouts,
Information monitoring,
Security & managing
Policies breakages

Monitoring Assessing Remediation

Identification and applicability Strategies Incident
of traffic Information operational for security Supperession
analysis collection issues, risk incidents

Measurable
Events

Observe Orient Decide Act

Implicit Outsider Training Experience

Directions Information

Direct Observation

A DSCI-CISCO POV Paper | 55

Observe about network and business operations for
efficient defence and response.
The Observe phase of the OODA loop
involves ongoing monitoring and data Orient
collection of computer networks and
The Orient phase of the OODA loop
information systems. This includes
is considered the most crucial stage.
identifying vulnerabilities, analysing
During this phase, data is analyzed and
network traffic, identifying hosts, and
synthesized through alert correlation
observing measurable events like intrusion
and other methods. A comprehensive
detection alerts. The monitoring process
visualization of the network situation can
utilizes security monitoring tools to identify
be highly beneficial for human analysts.
unusual behaviour that may necessitate
This information can then be utilized to
further investigation.
tailor defence strategies against the latest
Tools: Log Analysis, SIEM Alerts, IDS attack tools and tactics.
Alerts, Traffic Analysis, Netflow tools,
Tools such as Incident Triage, Situational
vulnerability analysis, and Application
Awareness, Threat Intelligence, Security,
performance monitoring, among others,
and Research, can help gain insight into
can be utilized to document observations
the attacker's mindset.

Perception Comprehension
Decision Action

Projection

Environment

Figure 10: Three level model of situational awareness

Considerations: It is vital to ensure requirement for informed choices based

that Threat Intelligence feeds security on the data collected in the Observe and
monitoring tools, providing the right Orient stage.
information and context for effective threat
During the Decide phase, the observations
detection and response.
and context gained from the previous
Decide stages guide the decision-making
process. It is essential to document all
The initial two stages of the OODA loop
aspects of the Incident Response process,
aim to position the analyst appropriately to
with attention given to communication
prepare for the decide phase. This phase
regarding data collection and decision-
involves making a decision by weighing
making procedures.
the need for prompt action against the

56 | A DSCI-CISCO POV Paper

Tools: Organisation’s security policies and incident or breach that affects their
documentation. computer resources to the Indian
Computer Emergency Response
Act
Team (CERT-In) in a timely manner.
Taking immediate action after making a This reporting requirement applies to
decision is essential within the OODA loop all organizations (service providers,
framework. The objective of this approach intermediaries, data centres, bodies
is to enable rapid decision-making and corporate and government organisations),
confuse the adversary. If too much time whether they are owned by the
is spent analysing a decision before government or private entities. The CERT-
acting, it increases the likelihood that the In directions are an extension of the IT Act.
adversary will act swiftly and make the
CERT-In Directions:
decision irrelevant. Therefore, quick action
and a return to the Observation phase is Scope of Applicability: Service providers,
necessary to learn about the adversary intermediaries, data centres, body
based on reactions to previous actions. corporate, Virtual Private Servers (VPS),
cloud service providers, Virtual Private
After taking the action, remediation and
Network Service (VPN) providers, and
recovery are essential, and it is critical to
government organizations, are subject to
improve the incident response procedures
these regulations.
based on lessons learned. Constantly
improving the ability to act effectively The regulations apply to all types of ICT
during incidents is key to success. environments, whether they are on-
premises systems or systems managed by
Tools: Data capture tools, forensics
third-party providers, hosted on the cloud,
analysis tools, system backup and
or located in data centres.
recovery tools, patch management, and
other systems management tools can aid Directions:
in this process.
• Incident Reporting: It is mandatory for
Considerations: It is crucial to understand organizations to report cyber incidents
that the iteration through the OODA loop is within 6 hours of being informed about
a mental process that should be performed them. If requested, organizations
by a human operator. Therefore, the should also provide information about
toolset is designed to assist the operator, the steps taken to protect and prevent
not replace the decision-making process. further incidents.
The tools provide information and enable
• PoC Appointment: Organizations are
actions, but the incident handler retains
required to provide a Point of Contact
responsibility for the decisions and actions
(PoC) for communication with CERT-In,
taken.
who should be available and responsive
13.3 Cybersecurity Incident to ensure prompt and effective incident
Guidelines Across Geographies response.

India • Log Maintenance & Time

synchronization: Organizations
IT Act (2008): Origin & Extensions must maintain logs of all ICT systems
Section 70B: It mandates all organizations securely for 180 days and connect to
and businesses to report any cyber NTP server of the NIC or NPL, or NTP

A DSCI-CISCO POV Paper | 57

 servers that can be traced back to surveillance, and customer data
these servers, to synchronize the clocks protection to be established to mitigate
of all ICT systems. This is to ensure that risks.
the logs can be correlated consistently
• Payment aggregators under under the
& reliably.
"Guidelines on Regulation of Payment
• Customer information: Network Aggregators and Payment Gateways”
service providers, data centres, VPS must have a board-approved
providers, cloud service providers, and information security policy in place to
VPN service providers are required to secure payment systems.
register precise details of authenticated
• Banks must have a written incident
subscribers/customers and maintain it
response program, Cybersecurity
for at least five years after cancellation
policy, and crisis management plan to
or withdrawal of the registration.
handle cyber threats, with mandatory
• KYC Requirements: Virtual asset reporting of cyber-breach incidents
exchange providers, virtual asset within 2-6 hours.
service providers, and custodian wallet
• RBI mandates the appointment of a
providers must keep all information
CISO and security steering committee
collected during the Know Your
to report incidents to the head of risk
Customer (KYC) process, including
management.
financial transaction records, for a
period of five years. • Periodical vulnerability assessment
and penetration testing exercises are
Intermediaries: It mandates intermediaries
required for all critical systems in banks.
to report any security breaches to CERT-In
as part of their due diligence obligations. • RBI prescribes conducting due
CERT-In provides templates for reporting diligence, audits, and regular monitoring
cybersecurity incidents on its website, of vendors and service providers.
which includes various details such as the
• Board of directors to be held
time of occurrence, the type of incident,
accountable for the overall information
impacted systems or network information,
security governance framework.
symptoms observed, technical systems
deployed, actions taken, and other • Appropriate training and awareness of
pertinent information. cybersecurity policies and programs
must be provided to human resources.
Sector specific regulations:
Telecom Sector: Telecom Regulatory
RBI: “Cybersecurity Framework for
Authority of India
Banks”
Every telecommunication licensee is
• Requires prompt reporting of any
required to create a monitoring facility to
cybersecurity incident, successful
detect intrusions, attacks, and frauds on
or attempted, within 2-6 hours, with
their technical systems within a year of
details in a standard template.
authorization. They must also report any
• RBI prescribes measures such as such occurrences to the Department of
incident reporting mechanisms, cyber Telecommunications.
crisis management plan, system

58 | A DSCI-CISCO POV Paper

SEBI- “Cybersecurity & Cyber incidents to the authority within 24 hours
Resilience Framework” of being notified. Furthermore, if any
subsequent forensic analysis uncovers
The framework proposes a five-step
additional findings, these details must be
approach to manage Cybersecurity risks
updated and submitted to the authority
related to IT assets, processes, networks,
within 24 hours of their availability.
and systems:
Alongside these reporting requirements,
• Identify critical IT assets and associated
the guidelines specify that registered
risks.
insurance companies must maintain
• Protect assets with suitable controls security logs for a minimum of six months,
and measures. implement an incident management
system that includes incident reporting
• Detect incidents, anomalies, and
and recording, and establish an incident
attacks with monitoring tools/
response plan.
processes.
Consequences of Non-Compliance
• Respond promptly to incidents,
[Under IT Act]:
anomalies, or attacks.
• Section 43A of the IT Act, 2000: Any
• Recover from incidents using incident
company that fails to protect sensitive
management, disaster recovery, and
personal information from unauthorized
business continuity framework.
access or disclosure may be liable
Stockbrokers and depository participants to pay compensation to the affected
are required to ensure that records of user individuals. The compensation may
access to critical systems are identified extend up to 5 crore (approximately
and logged for audit and review purposes, USD 675,000) or more, depending on
and the logs should be maintained and the damages suffered.
stored in a secure location for a period of
• Section 72A of the IT Act, 2000:
not less than two years.
Any person or entity that discloses
SEBI has also established deadlines (within personal information in breach of a
6 hrs) for reporting cyber attacks and lawful contract or without the consent
requested that portfolio managers submit of the individual concerned may face
quarterly reports on cyber incidents, imprisonment up to 3 years or a fine up
breaches, and mitigation measures taken to 5 lakh (approximately USD 6,700) or
within 15 days of the end of each quarter. both.
Insurance Sector: IRDA “Guidelines on • Section 70B of the IT Act, 2000:
Information and Cybersecurity” Provides for the punishment of a person
who fails to comply with CERT-In. Any
The guidelines are applicable to all
person who contravenes the provisions
insurers, insurance intermediaries,
of this section shall be punished with
and other entities regulated by IRDAI.
imprisonment for a term which may
Regulated entities are obligated to
extend to one year or with a fine which
promptly report any cyber incidents to
may extend to one lakh (approximately
CERT-In within six hours of their detection.
USD 1,350), or both.
Additionally, they are required to submit
the relevant information regarding these

A DSCI-CISCO POV Paper | 59

In addition to the legal penalties, non-compliance with CERT-In may also result in
reputational damage and loss of trust from customers and partners.
Table 2: Comparison of Sectoral Cyber Incident Guidelines in India

Guidelines RBI SEBI IRDA

Establishment of Incident Response Plan/ Mechanisms

  
CISO Appointment to oversee cyber incidents
  
Audit Mechanisms, Due Diligence & Monitoring of Vendors
  
Maintenance, Monitoring & Audit log analysis
  
Conduction of vulnerability assessment and penetration
testing exercises
  
Need or board-approved cybersecurity policy
 
Training and awareness of cybersecurity policies for human
resources
 

Power Sector Singapore Computer Emergency Response

Team (SingCERT) has established incident
The Ministry of Power has established a
reporting timelines for organizations
Computer Emergency Response Team
to follow when reporting cybersecurity
(CERT) to address cybersecurity risks
incidents.
within power systems. Additionally, four
subsidiary CERTs have been created to Financial Sector- Monetary Authority of
work with power utilities in transmission, Singapore:
thermal, hydro, and distribution
Financial institutions operating in
coordination. It require intermediaries to
Singapore are required to inform the
notify CERT-In of any cyber incidents.
Monetary Authority of Singapore (MAS)
Singapore within one hour of discovering a severe
incident that has a widespread impact on
In case of a data breach which is not
their operations or materially affects their
contained within the organization involving
customers, regardless of when the incident
personal data and has caused/may
occurred.
cause significant harm involving/likely to
involve more than 500 people mandates Critical Infrastructure:
a notification to Singapore Personal Data
Companies identified as critical information
Protection Commissioner as soon as
infrastructure providers are obliged to
practicable and within 3 calendar days and
report any prescribed cybersecurity
as soon as practicable to the individuals
incident to the Commissioner of
under s26D (5) PDPA (Personal Data
Cybersecurity within two hours of
Protection Act).
becoming aware of it, under section 7 of
the Cybersecurity Act 2018.

60 | A DSCI-CISCO POV Paper

Other Establishments: All entities are also within 72 hours of becoming aware
required to report data breaches that are of the incident, with a written record
likely to result in significant harm or scale following verbal notification within 48
to Singapore's Personal Data Protection hours.
Commission in 24 hours.
• Consequences of Non-Compliance:
Consequences of Non-Compliance: It If an organization fails to report
can lead to organizational fines of up to eligible data breaches or comply
$1 million SGD or 10% of the with the requirements related to
organization’s annual turnover in Singapore notifying individuals and the Australian
(whichever is higher). Information Commissioner (OAIC), they
may face civil penalties of up to AUD
United States of America-CIRCIA
2.1 million per breach.
The Cyber Incident Reporting for Critical
United Kingdom – NIS Regulations
Infrastructure Act, 2022 (CIRCIA) is a
significant legislation similar to the CERT- Digital service providers such as online
In Rules 2022. It mandates owners of search engines, online marketplaces,
critical infrastructure34 to inform the and cloud computing services have
Cybersecurity and Infrastructure Security an obligation to report cyber incidents
Agency (CISA) about cyber attacks that that have a significant impact to the
result in unauthorized access or disruption Information Commissioner's Office (ICO)
of business or industrial operations. CIRCIA within 72 hours, including data breaches.
requires covered entities to report certain This reporting requirement applies to all
types of cyber incidents to CISA within entities.
72 hours of reasonably believing that
Financial sector: Entities under the
the incident has occurred. In the case
regulation of the Financial Conduct
of ransomware payments, they must be
Authority (FCA) must report material
reported within 24 hours of payment being
cyber incidents to the authority as soon
made.
as they become aware of them. The
Australia – SOCI Act determination of material cyber incidents
is based on specific criteria, and if they
The Security of Critical Infrastructure
meet these criteria, they must be reported
Act 2018 (SOCI Act) in Australia
immediately* to the FCA.
categorizes various assets as critical.
Regulated entities are required to report Consequences of Non-Compliance:
Cybersecurity incidents to the Australian Under the General Data Protection
Cybersecurity Centre (ACSC). Regulation (GDPR), organizations can
face fines of up to £17.5 million or 4% of
• Critical Assets: If a regulated entity
their annual global turnover (whichever is
experiences a critical cybersecurity
greater) for failing to report a data breach
incident that has had or is likely to
within the prescribed timelines.
have a relevant impact on its assets, it
must verbally notify the ACSC within European Union: GDPR/ CERT-EU
12 hours of becoming aware of the
General Data Protection Regulation (GDPR)
incident, followed by a written report
mandates data controllers must report
within 84 hours.
personal data breaches to the supervisory
• Non-critical assets: For cybersecurity authority within 72 hours of becoming
incidents, the reporting timeline is aware of the breach.
*"Immediate" is subjective and depends on the nature and severity of the incident. A DSCI-CISCO POV Paper | 61
CERT-EU (Computer Emergency Regulation (GDPR), organizations can
Response Team for the European Union) face fine of up to €20 million or 4% of
is responsible for handling cybersecurity the global annual turnover, whichever is
incidents that affect the IT systems and greater, for failing to report a personal data
networks of the EU institutions, agencies, breach or for delaying reporting without
and bodies. However, it does not impose a valid reason. Additionally, failing to
reporting timelines for other organizations. comply with the NIS Directive can result in
administrative fines or penalties imposed
Consequences of non-compliance:
by national authorities.
Under the General Data Protection

62 | A DSCI-CISCO POV Paper

References
1
Drew Todd, ‘Ponemon Institute: Cost of Data Breach Hits Record High’ <https://www.secureworld.io/
industry-news/cost-of-a-data-breach>
2
‘Cost of a Data Breach 2022 | IBM’ <https://www.ibm.com/reports/data-breach>
3
‘Cost of a Data Breach 2022 | IBM’.
4
Compliancy Group, ‘How to Limit the Cost of Data Breaches’, Compliancy Group, 2019 <https://
compliancy-group.com/how-to-limit-cost-of-data-breach/>
5
‘2022 Data Breach Investigations Report’, Verizon Business <https://www.verizon.com/business/
resources/reports/dbir/>
6
‘Incident-Response-Planning-Infographic.Pdf’ <https://www.cisco.com/c/dam/en/us/products/
collateral/security/incident-response-planning-infographic.pdf>
7
‘CISCO_Security_eBook_Digi.Pdf’ <https://www.cisco.com/c/dam/m/en_be/offers/security/CISCO_
Security_eBook_Digi.pdf>
8
‘Cost of a Data Breach 2022 | IBM’.
9
‘India Witnessed 13.9 Lakh Cybersecurity Incidents In 2022: Govt’ <https://inc42.com/buzz/india-
witnessed-13-9-lakh-cybersecurity-incidents-in-2022-govt/>
10
‘Global Average Cost of a Data Breach 2022’, Statista <https://www.statista.com/statistics/987474/
global-average-cost-data-breach/>
Business Standard, ‘Cost for Data Breaches Averaged Rs 17.6 Cr in 2022, Highest Ever: IBM Study’,
11

2022 <https://www.business-standard.com/article/companies/cost-for-data-breaches-averaged-rs-
17-6-cr-in-2022-highest-ever-ibm-study-122072701127_1.html>
12
‘(ISC)2 2022 Cybersecurity Workforce Study’ <https://www.isc2.org:443/Research/Workforce-
Study>
13
Urvi Malvania and Veena Mani, ‘Shortage of Cybersecurity Professionals Triggers Fight for Talent’, The
Economic Times, 30 March 2023 <https://economictimes.indiatimes.com/jobs/mid-career/shortage-
of-cybersecurity-professionals-triggers-fight-for-talent/articleshow/99116296.cms?from=mdr>
14
‘Cyber Attacks: Cyber Attacks Triple in Last Three Years, but Security Funds Underutilised - The
Economic Times’ <https://economictimes.indiatimes.com/tech/technology/cyber attacks-triple-in-last-
three-years-but-security-funds-underutilised/articleshow/95981111.cms?from=mdr>
15
‘Products - XDR Buyer’s Guide - Cisco’ <https://www.cisco.com/c/en/us/products/collateral/
security/securex/xdr-buyer-guide.html>
16
‘IoT Connected Devices Worldwide 2019-2030’, Statista <https://www.statista.com/
statistics/1183457/iot-connected-devices-worldwide/> [accessed 1 December 2022].
17
‘IBM X-Force Threat Intelligence Index 2022’, SecurityHQ <https://www.securityhq.com/reports/ibm-
x-force-threat-intelligence-index-2022/>
18
Refer to the figure for the detailed bifurcation of cyber threat actors.
19
‘India: Number of Online Services Provided by the Government 2021 | Statista’ <https://www.statista.
com/statistics/1170639/india-number-of-online-services-provided-by-the-government/>

A DSCI-CISCO POV Paper | 63

20
‘India: Number of Active Internet Users 2025 | Statista’ <https://www.statista.com/statistics/1257929/
india-number-of-active-internet-users/>
21
‘Cyber Attacks on Healthcare Sector Rising’, BusinessLine, 2022 <https://www.thehindubusinessline.
com/opinion/cyber attacks-on-healthcare-sector-rising/article66278678.ece>
22
Business Standard, ‘Private Banks Reported Most Data Breaches in 2018-22: Parliament Told’, 2022
<https://www.business-standard.com/article/companies/private-banks-reported-most-data-breaches-
in-2018-22-parliament-told-122080201419_1.html>
23
Refer to table below for the Cyber incident and breach notification timelines across jurisdiction
24
Refer to annexure for detailed guide to cybersecurity regulation across jurisdictions.
25
‘Cert-In - Home Page’ <https://www.cert-in.org.in/SecurityIncident.jsp>
26
Refer annexure for a detailed view for the CERT-In directions along with the sectoral regulations.
27
Considerations: Employee awareness and training: All employees should receive training on
cybersecurity best practices and should be aware of their role in incident response procedures. This
can help ensure that incidents are detected and reported quickly, reducing the potential impact of a
breach.
28
Indicative
29
Refer to annexure for more details.
30
Refer to annexure for more details.
31
‘Cybersecurity Readiness Index’, Cisco <https://www.cisco.com/c/m/en_us/products/security/
cybersecurity-reports/cybersecurity-readiness-index.html>
32
Jon Oltsik, ‘ESG Research Report: SOC Modernization and the Role of XDR’ <https://www.esg-global.
com/research/esg-research-soc-modernization-and-the-role-of-xdr>
33
Oltsik.
34
CIRCIA's definition of "covered critical infrastructure" is broad and encompasses businesses that may
not perceive themselves as providers of critical infrastructure.

64 | A DSCI-CISCO POV Paper

Authors:
• Vinayak Godse, CEO, DSCI.
• Aditya Bhatia, Senior Consultant, DSCI.
• Neha Mishra, Associate, Technical Research, DSCI.

Acknowledgement:
• K.P.M. Das, National Cybersecurity Officer, Cisco.
• Aditya Raghavan, Cybersecurity Solutions Architect, Threat Detection & Response
APJC, Cisco.
• Bhishm Narayan Sharma, Technical Solutions Architect, Cisco.

A DSCI-CISCO POV Paper | 65

NOTES
Cisco (NASDAQ: CSCO) is the worldwide technology leader that securely connects
everything to make anything possible. Our purpose is to power an inclusive future for all
by helping our customers reimagine their applications, power hybrid work, secure their
enterprise, transform their infrastructure, and meet their sustainability goals. Discover
more on The Newsroom and follow us on Twitter at @Cisco.
Cisco offers an industry-leading portfolio of technology innovations. With networking,
security, collaboration, cloud management, and more, we help to securely connect
industries and communities. Read more about our products and services here.

Data Security Council of India (DSCI) is a premier industry body on data protection in
India, setup by nasscom, committed to making the cyberspace safe, secure and trusted
by establishing best practices, standards and initiatives in cybersecurity and privacy.
DSCI brings together governments and their agencies, industry sectors including ITBPM,
BFSI, telecom, industry associations, data protection authorities and think-tanks for policy
advocacy, thought leadership, capacity building and outreach initiatives. For more info,
please visit www.dsci.in

DATA SECURITY COUNCIL OF INDIA

Nasscom Campus, Fourth Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303
+91-120-4990253 | research@dsci.in | www.dsci.in

DSCI_Connect dsci.connect dsci.connect data-security-council-of-india dscivideo

All Rights Reserved © DSCI 2023